Virtual TPM
This guide outlines the implementation and configuration requirements for Virtual Trusted Platform Module (vTPM) v2.0 support in Private Cloud Director. The solution leverages open source Barbican service for encryption management. Virtual TPM service enables TPM support on Private Cloud Director hypervisor hosts.
Image Preparation and Configuration
The Virtual TPM configuration is controlled through metadata that can be applied at the virtual machine image level.
When you add TPM metadata to an image, any VM created using the image will automatically enable vTPM with the specified configuration. The metadata parameters control:
The TPM version (1.2 or 2.0)
The TPM model type (
tpm-tisortpm-crb)
You can apply these configurations by adding metadata to the image as below:
Image-level Properties
Following is the TPM metadata that you need to associate with a virtual machine image in order to enable vTPM for the VMs created with the image.
hw_tpm_version = 2.0
hw_tpm_model = tpm-crbFor example, you might start with a standard Windows image without TPM support and later add TPM 2.0 support by updating the image metadata. Any new VMs created from this image will have TPM 2.0 enabled, while existing VMs remain unchanged.
VM Deployment and Verification
Create a VM with vTPM support through the Private Cloud Director UI
Make sure that the VM reaches "Active" state
Perform TPM verification:
For Windows VMs
For Linux VMs:
General TPM Verification:
Expected TPM configuration in XML:
Secret Management Verification
Run the following command to make sure that the secrets got created successfully:
Each VM with TPM should have a corresponding secret entry.
Last updated
Was this helpful?